Analysis Overview
SHA256
467067b7b752259afab91d03a8e163b5022341d359fe0d31cfe0c28af4ccec38
Threat Level: Likely benign
The file pgxmuwgx.exe was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Unsigned PE
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 21:55
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 21:55
Reported
2024-11-10 21:55
Platform
win7-20240903-en
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 21:55
Reported
2024-11-10 21:57
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
138s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe
"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26
C:\Windows\system32\mode.com
mode con: cols=90 lines=26
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
Files
memory/2176-0-0x00007FF7A7250000-0x00007FF7A88D3C27-memory.dmp
memory/3984-1-0x00007FFE75C13000-0x00007FFE75C15000-memory.dmp
memory/3984-2-0x0000020FF3F80000-0x0000020FF3FA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycgfi2dm.vlt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3984-8-0x00007FFE75C10000-0x00007FFE766D1000-memory.dmp
memory/3984-13-0x00007FFE75C10000-0x00007FFE766D1000-memory.dmp
memory/3984-15-0x0000020FF3F70000-0x0000020FF3F7A000-memory.dmp
memory/3984-14-0x0000020FF3FB0000-0x0000020FF3FC6000-memory.dmp
memory/3984-16-0x0000020FF6640000-0x0000020FF6666000-memory.dmp
memory/3984-19-0x00007FFE75C10000-0x00007FFE766D1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 958ec9d245aa0e4bd5d05bbdb37475f4 |
| SHA1 | 80e6d2c6a85922cb83b9fea874320e9c53740bd9 |
| SHA256 | a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d |
| SHA512 | 82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a8c4d2c53fbcc4a8d45ccbce9a278d86 |
| SHA1 | 22a03402aab2996381690bbd9cc11c3a3e087802 |
| SHA256 | 87e09cc730f24a2bd77d279b262d9a3110346d6f119e344d2c34f17a804754e3 |
| SHA512 | e6841e0b52b3b6df6a5baba347b64458433ef7d0fec1e2e6d3f0939379a62aa1bf85cab8a12cef667b41c5fe7a66b66e81f4f829ec0f3b3975848bcad83d8242 |
memory/2176-33-0x00007FF7A7250000-0x00007FF7A88D3C27-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 21:55
Reported
2024-11-10 21:58
Platform
win10ltsc2021-20241023-en
Max time kernel
97s
Max time network
143s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe
"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26
C:\Windows\system32\mode.com
mode con: cols=90 lines=26
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.36.55:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/4192-0-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp
memory/4232-1-0x00007FF8E6F43000-0x00007FF8E6F45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ue23f4p1.y5o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4232-11-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp
memory/4232-12-0x00000152CFC20000-0x00000152CFC42000-memory.dmp
memory/4232-13-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp
memory/4232-14-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp
memory/4232-15-0x00000152CFEA0000-0x00000152CFEB6000-memory.dmp
memory/4232-16-0x00000152CFE90000-0x00000152CFE9A000-memory.dmp
memory/4232-17-0x00000152D0090000-0x00000152D00B6000-memory.dmp
memory/4232-20-0x00007FF8E6F40000-0x00007FF8E7A02000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 4e50615fbb2682d496773c1e3985a98e |
| SHA1 | 67413638787fdae9a8fb43c128811faf7dabc8ce |
| SHA256 | a13af49afd14efc8d114fbfd0ae7311482cd7af29c3d0cfc2b18be76c872bf94 |
| SHA512 | 852df909000e14c6e1c35bbff1602ddcf04756e17eee788cd1c78131e18e3b0f7034aa5b29e3c39957d667719956b3876fd001269e4fb9672a8db2e89ae8c79b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a3101f3c4c89b36ec469cee45b28487 |
| SHA1 | c188454a1dcadcf103d53b4275f509165abd2088 |
| SHA256 | 62b50d6eb485d2b12f24bd64578560fbfc3b6fc97434682573fe3da44cb99f83 |
| SHA512 | c44724cc276f3ad139857c40b7edf19e01eb0d1b2d66f1d8f74449ed3e2503fb1fff65984cba85b8f921f8bf96928cc7f3d194230720412eb731faff991ec959 |
memory/4192-33-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp
memory/4192-35-0x00007FF6E2C70000-0x00007FF6E42F3C27-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 21:55
Reported
2024-11-10 21:57
Platform
win11-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe
"C:\Users\Admin\AppData\Local\Temp\pgxmuwgx.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0a && mode con: cols=90 lines=26
C:\Windows\system32\mode.com
mode con: cols=90 lines=26
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Version"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Get-AppPackage -Name Microsoft.MinecraftUWP | Select-Object -ExpandProperty Architecture"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3540-0-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp
memory/3488-1-0x00007FF93C013000-0x00007FF93C015000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jxvqjziz.ncr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3488-11-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp
memory/3488-10-0x000001CDE2EC0000-0x000001CDE2EE2000-memory.dmp
memory/3488-12-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp
memory/3488-13-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp
memory/3488-14-0x000001CDE3060000-0x000001CDE307C000-memory.dmp
memory/3488-15-0x000001CDE3050000-0x000001CDE305A000-memory.dmp
memory/3488-16-0x000001CDE3470000-0x000001CDE3496000-memory.dmp
memory/3488-19-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | c4004e022f299839235e0b9b9eff21cb |
| SHA1 | 53cb70317be1181667d198f11bb38c5283fdf604 |
| SHA256 | b0520284a49198908379c3bce330cb4428559866de87e5a5cfb6eac510605a5f |
| SHA512 | 5190c53fa27055789d6cc66dd3b1f822aa7a1c75b27a568c3f354d743531efe5ec0f9fb88fe83a5253250201646524d783d75fc1c25cf8160d80090455f7fa89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7d11fdb1cefb8bc8e6c7d4c0b8a4f486 |
| SHA1 | 51f70797f2fddd0817f14057f4818c5875be9057 |
| SHA256 | 30da8122353bf6033e7e90b037c11c053739cb61f46eb89d552ddea152637331 |
| SHA512 | 1ab45860498b90f09bd438dc907dc7933e180268cb5198767ffc6faf1de661199dd7933c714e3180476bd65cd9af386f45ae5cd7f0075ed425c0263b63838601 |
memory/3540-32-0x00007FF676F70000-0x00007FF6785F3C27-memory.dmp